> I look at this a while back, well over a year i think now. And the
> problem was that openvas does not actually test for the Vuln but it
> tries to use content to assume the exploits will not work. That is a
> very risky situation to get into.
In terms of a proper security assessment; this is a debate that we have
within the OpenVAS developer community and I am actually on your side with
this. I won't bother the Centos list with more details than that unless
anyone specifically wants me to go into greater details except to say that
this is not technical limitation, just a policy of the authors who are
writing the testing scripts.
However, in terms of simply looking to see what known patches are missing,
the current method of assessment is sufficient and complete. The question
assumes that patches already exist and therefore they can be queried for in
the RPM database to see if they exist (with the needed info encoded in the
release strings).
If we are talking about missing patches that do NOT exist, IOW, looking for
vulnerabilities that the Centos devs or upstream have not addressed yet...
then other tools may be more appropriate.
-geoff
---------------------------------
Geoff Galitz
Blankenheim NRW, Germany
http://www.galitz.org/http://german-way.com/blog/